Bové Montero
Bové Montero Cerrar

Privacy Policy

  1. Home
  2. Privacy Policy

Introduction

The objective of this Policy is to establish the guidelines that all levels of the Company must follow regarding the Protection of Personal Data.

This Policy contains a description of the key elements, including human, organizational, technological, and documentary aspects, that the Company applies to protect personal data, preventing violations of the rights and freedoms of the data subjects.

At all levels of the Company, efforts will be made to ensure the real and effective application of the guidelines established in this Policy concerning data protection so that this self-regulation system eliminates behaviors that could jeopardize the personal data processed by the Company.

1. Scope of Application

  • Corporate Scope. – This Policy shall apply to BOVÉ MONTERO Y ASOCIADOS, S.L. (hereinafter, “the entity”).
  • Personal Scope. – This Policy shall apply to all levels of the entity, including governing bodies, executive positions, supervisory bodies, and all personnel.
  • Relational Scope. – The scope of application of this Policy shall extend, to the extent possible, to the Company’s suppliers, advisors, clients, and other third parties.
  • Geographical Scope. – This Policy shall apply to public and private relationships established by the Company in any geographical area.

2. Applicable Regulations

This Policy is adapted to the following regulations:

  • General Data Protection Regulation of the EU (GDPR)
  • Organic Law 3/2018, of December 5, on the Protection of Personal Data and Guarantee of Digital Rights
    Law 34/2002, of July 11, on Information Society Services and Electronic Commerce
  • Organic Law 1/1982, of May 5, on Civil Protection of the Right to Honor, Personal and Family Privacy, and One’s Own Image

Necessary adaptations to this Policy will be made based on legislative changes that occur, as well as the criteria established in:

  • The guidelines, reports, and resolutions of the Spanish Data Protection Agency
  • The guidelines, reports, and resolutions of the supervisory authorities of the remaining Member States of the European Union
  • The Article 29 Working Party
  • Rulings of the Court of Justice of the European Union
  • Rulings of the National Court, the Supreme Court, and the Constitutional Court

3. Business Risks in Data Protection

The Company carries out its main activity as a service provider in the fields of auditing, consulting, accounting, legal-tax, and labor advisory services.

The special nature of personal data, the complexity of the applicable regulations, and the severity of the penalties established in them generate risks such as unauthorized access, unauthorized copying, disclosure or transfer to third parties, and other violations stipulated in the GDPR and local regulations.

The risks arising from non-compliance with legal obligations in data protection include:

  1. Administrative sanctions
  2. Crimes against privacy
  3. Compensation for damages
  4. Reputational damage

The protection of personal data is one of the entity’s core values and a priority objective for the Company, which requires a series of legal, technical, and organizational measures, summarized in this Policy and detailed in its internal regulations and procedures.

4. Objectives of Data Protection

The Company’s objectives in data protection are aligned with its business goals, prioritizing compliance with legal obligations applicable to its activities.

Data protection is considered a competitive advantage, as it allows the Company to differentiate itself from competitors who do not respect the privacy of their clients and collaborators or who mismanage their data, thus exposing themselves to significant financial penalties and reputational damage.

A priority objective in data protection will be compliance with the General Data Protection Regulation of the European Union and the Organic Law on Personal Data Protection and Guarantee of Digital Rights.

At all levels of the Company, there will be a commitment to meeting the established objectives in data protection and complying with the principles and obligations outlined in this Policy.

The Company may develop regulations and procedures that further define and detail this policy.

5. Principles of Data Protection

The Company’s data protection strategy will comply with the following principles:

  • Lawfulness principle: The processing of personal data will be lawful if it is based on the consent of the data subject or another legal basis established by law.
  • Transparency principle: The data subject must be informed of all circumstances related to the processing.
  • Fairness principle: Personal data may not be processed under conditions different from those communicated.
  • Purpose limitation principle: Personal data will be collected for specified, explicit, and legitimate purposes and will not be processed in a manner incompatible with those purposes.
  • Data minimization principle: Personal data must be adequate, relevant, and limited to what is necessary for the purposes for which they are processed. This principle, along with the previous one, is further developed in the principles of necessity and proportionality applied to impact assessments.
  • Accuracy principle: Personal data must be accurate and, where necessary, kept up to date. All reasonable measures must be taken to promptly delete or rectify inaccurate data concerning the purposes for which they are processed.
  • Storage limitation principle: Personal data must be stored in a way that allows the identification of data subjects only for as long as necessary for the purposes of data processing.
  • Integrity and confidentiality principle: Personal data must be processed in a manner that ensures appropriate security, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, by implementing appropriate technical or organizational measures. Personal data will only be accessible to authorized users and may not be disclosed to third parties without the necessary authorization.
  • Accountability principle: The Company will be responsible for ensuring compliance with data protection regulations and must be able to demonstrate such compliance.
    Data protection by design and by default: New processing activities, projects, services, and products will undergo a prior assessment of their impact on data protection.

6. Roles and Responsibilities

All roles and responsibilities will be differentiated and, as far as possible, assigned individually in the job description. In addition to this individualized assignment, all individuals within the Company, regardless of their level, will be required to comply with the rules, procedures, and controls established in the field of information security.

The ultimate responsibility for control in data protection will rest with the Data Protection and Information Security Committee.

The entity has regulations and procedures that establish the obligations of personnel in terms of data protection.

The Company will take the necessary measures to ensure that personnel understand in a clear manner the obligations related to data protection that affect the performance of their duties, as well as the consequences of non-compliance.

7. Record of Processing Activities

The Company will maintain a record of processing activities detailing the processing operations authorized as the Data Controller, as well as another record of processing operations carried out as the Data Processor.

In accordance with the principle of privacy by design and by default, and given that supervisory bodies cannot be aware of every data-related activity carried out within each department, any new processing or any modification of the attributes and characteristics assigned to an existing processing operation in the record must be communicated to the Data Protection Officer for evaluation and authorization, provided that it does not pose a risk to the rights and freedoms of the data subjects.

Additionally, the Company will inform all data subjects about the processing of their personal data through informational and consent clauses in accordance with Articles 13 and 14 of the GDPR.

8. Risk Analysis

All processing activities subject to this Security Policy must undergo a risk analysis, assessing the threats and risks to which they are exposed. This analysis will be conducted periodically.

The Company will periodically carry out an assessment of the risks and threats that affect data protection.

The risk analysis will be conducted through an inherent risk map, evaluating the raw risks that exist before the implementation of preventive, detection, and mitigation controls. This will then be followed by a residual risk map, where net risks existing after the application of controls will be assessed in an automated manner.

9. Guidelines for Risk Minimization

For risk management and minimization, the entity will apply physical, personnel, administrative, and network security measures, including:

  • Logical access security: The Company applies security measures to protect logical access.
  • Logical access of individuals to computer systems: The entity will implement a two-factor authentication system. The user will be assigned by the System Administrator and will set their own password. Additionally, the user will receive a code to validate authentication.

The password will always be unintelligible, even to the Administrator. If necessary (e.g., if the user forgets it), the System Administrator may force a password reset process without requiring the previous password.

  • Access control to data and resources: The Company will develop regulations and procedures that specify and detail the control measures indicated in this section.
  • Operating systems: All operating systems used in the Company’s computer systems require validation and authentication for access and use.
  • Viruses and malware: All Company computers will have antivirus and antimalware software installed, which will be updated periodically. Firewalls will also be in place to control network traffic and detect unauthorized intrusions. Users will be promptly informed of basic measures to prevent the introduction of viruses and malware.
  • User management: The list of all network users with authorized access to the information system must be updated, with clearly defined access levels to ensure confidentiality and integrity. The Company will also perform access control and monitoring of IT systems available to employees to protect information.
  • Access limitation: To access IT resources, a user account must be assigned beforehand, and the user must be registered on the domain servers. Access authorization will establish the necessary profile, configuring the available features and privileges in applications according to each user’s responsibilities, adopting a policy of granting only the minimum privileges necessary to perform assigned tasks. Additionally, two-factor authentication will be used for access to domain servers.
  • Wi-Fi security and wireless networks: The Company will implement appropriate measures to prevent unauthorized access to the entity’s Wi-Fi network.
  • Servers and physical storage: All confidential information, as well as personal data, is stored on external provider servers that meet adequate compliance standards for data protection and information security.
    Backups: All backups performed by third parties will cover all necessary information to restore services in case of data corruption or loss (data, programs, configuration files, and even images of certain servers). Additionally, protocols regarding backup and data recovery will be in place.

For all relevant systems, security standards will be defined, including at least the following information: backup frequency, backup retention periods, backup storage locations, data recovery procedures, restoration procedures, and verification of the integrity of backed-up information.

  • Authentication: Usernames and passwords are personal and non-transferable, and the user is solely responsible for any consequences resulting from misuse, disclosure, or loss of their credentials.
  • Workstation security: Employees will be informed about the security policies established by the Company regarding workstation security, including automatic device locking requiring password reactivation after a specified period of inactivity and a zero-paper policy at workstations.
  • Mobile devices: The Company will establish appropriate security measures for corporate mobile devices.

Users assigned corporate mobile devices must comply with specific usage policies and apply the corresponding security measures.

10. Contractual Obligations

In addition to the legal requirements regarding data protection, the Company will also be obliged to comply with specific data protection requirements imposed by its clients and suppliers concerning the personal data to which it has access as part of its contractual relationships.

The Company will pay special attention to contractual obligations related to the processing of personal data.

The Company will create and maintain an up-to-date record identifying and prioritizing obligations related to the protection of personal data it processes or accesses.

The Company will periodically verify that contractual obligations assumed in data protection matters are understood at all levels of the Company.

11. Supplier Control from a Privacy Perspective

The Company will maintain a record of all suppliers who process personal data on behalf of the Company or who have direct or indirect access to personal data managed by the Company.

If the need arises to contract a new service involving data processing, the Company will select suppliers through an evaluation process that considers the guarantees required by data protection laws.

In this evaluation, priority will be given to suppliers offering the highest guarantees in data protection.

The relationship with suppliers who process or have direct or indirect access to personal data will always be regulated through a contract that includes a specific section outlining the supplier’s obligations. These obligations will include, at a minimum, those established in Article 28 of the GDPR.

12. Data Retention Periods

The Company will retain personal data in such a way that allows the identification of data subjects only for as long as necessary for the purposes of processing. To this end, the Company will create and maintain an updated table establishing the retention periods for data it must or considers appropriate to retain.

In preparing this table, the Company will take into account the limitation periods for legal infractions and the restrictions established by the GDPR and the Organic Law on the Protection of Personal Data and Guarantee of Digital Rights. Additionally, it will consider legal, sector-specific, and contractual obligations that may require longer retention periods.

The Company must also consider the retention periods communicated to data subjects when informing them of their rights.

Regarding the destruction of documentation, it must be carried out in a manner that ensures confidentiality throughout the entire process.

13. Management of Security Breaches and Incidents

Any situation that may compromise the confidentiality, integrity, availability, authenticity, or traceability of the Company’s information will be considered a security breach.

For this reason, the Company must establish appropriate cybersecurity measures, including protection against threats from communication networks, such as cyberattacks, denial-of-service attacks, unauthorized access, and system hijacking or ransomware, among others.

Any person who becomes aware of or suspects an incident that could affect data protection must report it immediately through the established communication channels.

If the security breach or incident poses a risk to the rights and freedoms of individuals, it must be reported no later than 72 hours after it is confirmed, to the competent Supervisory Authority, which in this case is the Spanish Data Protection Agency.

The entity has a protocol in place defining the systematic approach for incident notification and security vulnerability management. The objective is to ensure that security incidents and weaknesses associated with information systems are recorded and appropriately handled through corrective actions for repair, resolution, and restoration of normal service levels. Corrective measures may also be implemented to eliminate the root causes and prevent future occurrences.

14. Training and Awareness

All personnel within the entity are required to be aware of and comply with the Data Protection Policy. For this reason, the Company will promote continuous training and awareness activities at all levels regarding data protection.

Training may take the form of in-person sessions or e-learning courses.

Awareness efforts may be carried out through any type of materials and communication or training tools that help raise awareness of the risks of non-compliance at all levels of the Company.

Each employee is responsible for complying with this policy and the related protocols according to their role, as well as for reporting any detected security incidents.

15. Prevention of Violations

The primary objective of the Company with this Policy and the related rules, procedures, and controls is to prevent violations of the rights and freedoms of data subjects and to comply with personal data protection regulations.

The main reference framework for achieving this objective is the GDPR, which classifies violations into two categories: serious and very serious.

Serious violations may result in fines of up to 10 million euros or 2% of the Company’s total annual global turnover. This category includes, for example, inadequate technical or organizational measures, contracting data processors without sufficient guarantees, and failure to notify a data breach.

Very serious violations may result in fines of up to 20 million euros or 4% of the Company’s total annual global turnover. This category includes unlawful data processing, unlawful consent practices, and breaches of the duty of confidentiality.

16. Updates and Improvements to this Policy

This Policy will be periodically updated to reflect changes and improvements in data protection practices. BOVE MONTERO Y ASOCIADOS, S.L. will conduct regular reviews to verify compliance with prevention and control measures and will propose the necessary modifications in the event of relevant violations of this Policy, significant changes, or updates to the entity’s information systems.